In the previous post ERM Implementation – Platitudes? I drew a distinction between the bureaucratic or formalistic side and the practical value side of any program or initiative. I thought I would post an ERM pdf – Implementation Tool focusing on just this aspect of enterprise risk management implementation. It is a diagnostic tool containing criteria that you will be able to apply to your organization.

Avoid confusion: people should recognize enterprise risk management as distinct from enterprise resource management. For example, resource management at NetSuite.com, a cloud computing technology leader, offers an application to help ensure the efficient allocation of resources within the organization. The roll out of cloud computing applications is discussed in the online course Managing IT/Cyber Risk. [Disclosure: ERTechnical receives an affiliate fee for NetSuite link.]

Here is a preview of some of the elements from each of the two sides of ERM methodology, with editorial comments in each category:

FORMAL SIDE

Selection of Risk Management Standard:
[Select an appropriate risk management standard in order to give uniformity to language and definitions. The standards more or less converge on similar concepts and order of steps. However, it will require interpretation in order to make it meaningful in the context of your work. You can’t rely on it as an implementation guide as it stands.]

Documented Corporate Policy:
[This is the outline of the application of the standard to your organization. The danger here is that it is much too long, with too much extraneous theory and especially advice that has been written in advance of practical trials.]

PRACTICAL VALUE SIDE

Investigation and Trials of Risk Identification Methods: at the Operational Level:
[These criteria are at the heart of the matter. An effective risk ID and assessment process, both at the strategic and operational level, is essential to successful enterprise risk management. This will ensure value and engaged participation. These points are covered in detail in the risk management online training course: How to Conduct High Quality Risk Assessment.]

Risk ID Methods Developed to Target Specific Work Functions:
[It is unlikely that a rigid and uniform risk methodology will work across all departments. Involving staff to develop and refine the methods, while observing compatibility across the organization, is a good way to make risk ID useful to them.]

The last part of the ERM tool is the assessment: to compare the formal and practical sides. The idea is not to discard the formal aspects altogether, but determine whether they are being used excessively. Perhaps you agree that it is better to lead with the second list; the practical work elements.

Rather than lead with too many formal aspects, you can develop them incrementally to support the proven practical work. This results in higher utility, sustainability and credibility of your ERM framework implementation.

Those wishing to study further the principles of program implementation, as applied to ERM, may be interested in a new Risk & Insurance Management Society online course to be launched later this year. It is called Special Case Studies in Risk Management. It includes a module called Overcoming ERM Resistance, with a 40-minute presentation, case study, and a more elaborate implementation tool with 24 criteria. I will post an announcement.

It is ironic that future scenario analysis, developed famously by Royal Dutch Shell, was not used when it should have been in that very same industry. AP reported on May 06 that:

“…a site-specific exploration plan filed by BP in February 2009 stated that it was “not required” to file “a scenario for a potential blowout” of the Deepwater well.”

Risk and international business managers could take a close look at risk scenario planning as a way to grapple with black swan risk, defined here in the Barnes and Noble synopsis of Nassim Nicholas Taleb’s book:

Doesn’t that definition, by the way, assume that you were able to at least identify the risk before deeming it improbable? Perhaps the true black swan risk is the one that broadsides you altogether. In any case, the value in future scenario planning is that it sidesteps the necessity to predict. It does not depend upon forecasting.

We all know business continuity scenarios are not like conventional risk management, not only because they deal specifically with disaster and emergency risk, but also because they focus on mission-critical functions, and often take an all-hazards approach. There will be significant areas of overlap in plans to address several different perils.

Similarly, risk scenario analysis is interested in resilience, and starts from a consideration of a core mission. You define the trends with the most significant influence upon that mission, and then create extreme – but plausible – scenarios. The advantage is that you are not relying on one narrow prediction or forecast. You have instead rich scenarios that present conditions that challenge your organization’s survival in different ways.

The team can then plan pre-event treatment, and adjust its plans to meet difficult conditions in something like an all hazards approach.

Risk practitioners point out another advantage to future scenario analysis. It permits a freer discussion than is normally held to identify essential business functions, assets at risk, types of threats, and the longevity and relevance of the organization’s very mission. For example, if the team determines that, in three out of four future scenarios, shifts in industry practice, business models and technology would likely render the core business obsolete, they might well re-evaluate their strategic direction.

I have put in a proposal to RIMS to develop another risk assessment online course [update: Creating Value: Risk Manager as Innovator — up and running], in which I would include a module on risk scenario analysis, using the future scenario planning model.

RIMS Workshops: Financial and Quantitative Risk
I recently attended one of the Risk and Insurance Management Society’s (RIMS) workshops in Toronto: “Finance for the Risk Manager”, facilitated by Philippe Sarfati, Chief Risk Officer for Coast Capital Savings in Vancouver. My motive was to become familiar with finance risk analysis, and then somehow to integrate it with my current techniques for risk assessment: business decisions should benefit from a comprehensive approach.

This quest has some history: I first became interested in risk in finance when participating in the review of public-private partnerships in BC government. Much later I attended another workshop (Risk Analysis Tools Boot Camp) with the idea of exploring how financial and statistical modeling should be related to the whole planning process. My thought is that risk managers really ought to oversee data analysis and financial models, to review their scope and assumptions, and situate them in a wider context of corporate goals and values (see my February 2009 post Financial Risk Modeling).

Well, my overall impression was that the course was a ‘tour de force’ from the banking world. It was fascinating to see how a career banker brought rigorous methods to risk quantification for individual projects.

It was clear that the facilitator conceived of the world of risk management as primarily a financial exercise, because ERM (enterprise risk management) was relegated to a sub-category within Ops, while the main rubrics of the risk regime were: Credit Risk; Operations Risk; Market Risk; Liquidity and Funding; and Legal/Regulatory/Compliance Risk.

Therefore, we were really learning financial analysis for projects – from a risk management perspective, largely to recommend or reject a given project. Among other things, we looked at Expected Loss, Risk Adjusted Return on Capital, and the relationship between discounted cash flows to likely and required returns. Earnings at Risk ,Value at Risk and Credit Risk exercises are included in the slide deck.

We had an interesting discussion on the role of professional financial advisors: while everyone agreed that we are all to some degree dependent on outside sources to substantiate investment decisions, there is no substitute for your own analysis.

The idea was for risk managers to understand that they really need to present to senior executive or the Board a range of options, with risk factors made clear. You can present the likely rate of return for a given project; that is, the forecast or expected return. It must be equal to or greater than the firm’s required rate of return – their own internal benchmark. You must also present the probability of success for each of 3 options. You need to use stress testing, present the risks of doing nothing, and explain the opportunity cost associated with each option.

Business Decisions and Risk
Project decisions, in conjunction with the financial analysis, are then go/no-go decisions made by virtue of:

the difference between required and expected returns;

the organization’s tolerance for risk; i.e.,

the degree of variability or volatility that the organization’s capital structure can support; and

the possibility of correlated risk.

What struck me was that the financial analysis fundamentally relied on various calculated probabilities of events: that is, the typical probabilities of failure for similar projects or lines of business.

The trouble is, rating agency reports, as well as peer or industry data, can be either hard to obtain, or suffer from poor validity and comparability. The instructor pointed out that, indeed, a firm’s proprietary Internal Risk Rating – a system that models income, risks and losses based on similar projects or lines of business – if well developed and accurate, can be a source of competitive advantage.

I would add that projects are also dependent upon the probabilities of events that are not necessarily catalogued, assigned a probability distribution, or even identified without a concerted effort. There are unique elements, and many risk categories that are not strictly financial, within a given scenario. Projects and program plans should be checked at the conceptual stage re: alignment with strategic direction and core business, reputation risk, stakeholder and consultation risk, and the organization’s system of ethics and values.

This workshop met very well my expectation to gain some understanding of how the financial analysis is done. I think, to be comprehensive, the risk manager has to facilitate the discussion to integrate the financial view with strategic and operational risk assessment.